Transcription

1 Page 1 Transcription ICANN61 San Juan ISPCP Open Meeting Part 1 Tuesday, 13 March 2018 at 15:15 AST Note: Although the transcription is largely accurate, in some cases it is incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the meeting, but should not be treated as an authoritative record. The transcriptions of the calls are posted on the GNSO Master Calendar page So welcome, everybody. I m aware we may be a few ISPs light, but I think it would be a good thing to start anyway. So this is the ICANN61 meeting of the ISP and Connectivity Providers Constituency meeting. I think we'll just have a quick run around the table to introduce ourselves. We ve got a pretty full agenda, and the good news is, although it s scheduled for over three hours, there will be a break halfway through. I m going to break the agenda to give everyone at least a comfort break as we work through. But to start with, I m Tony Holmes. I'm the vice chair of this constituency. Our chair has not been in the best of health recently, Wolf-Ulrich Knoben. He will be joining us remotely. But I'm standing in to chair this meeting for Wolf for this time. So if we could work around the table and if I could ask you to just introduce yourself please. Andy Pitts: Oh yes. Andy Pitts from British Telecom. Jen Taylor-Hodges: Jen Taylor-Hodges from BT as well. Lars Steffen: Lars Steffen. I m with eco, the Internet Industry Association and I remind you to state your name every time when you use the mic. Thank you very much.

2 Page 2 Esteban Lescano: Este Lescano from CABASE, Argentina. Shin Yamasaki Shin Yamasaki from JPNIC. Mark McFadden: I m Mark McFadden from the Midwest Internet Cooperative Exchange. Nicolas Fiumarelli: Nicolas Fiumarelli from LACNIC. I am a fellow first time ICANN. Man 1: (Unintelligible) Czech Republic and Russia also. Hello. Alain Bidron: Thank you. Alain Bidron representing ETNO, the European Telecommunications Network Operators Association. Philippe Fouquart: Philippe Fouquart. I m with Orange and GNSO counselor. Please speak high in the microphone so that more people can hear. Osvaldo Novoa: Osvaldo Novoa from ANTEL, Uruguay. Thomas Rickert: Thomas Rickert, Internet Industry Association eco. In particular, welcome to the fellows who ve joined us. Do we have a roving mic somewhere? If not, maybe we could just ask the people behind us to introduce yourselves. That would be helpful. Ken Hansen: Ken Hansen with Farsight Security. Thank you. Man 3: Jimmy. Don t you want to sit at the table? Come join us. We re not there.

3 Page 3 ((Crosstalk)) Man 3: We can tell you re a member already. You ve applied. Okay. So unless you re moving up. If I could go to the second row. Man 4: (Unintelligible). Welcome. Man 5: (Unintelligible). Thank you very much. And please, you may. Jimmy Rodrigues: Jimmy Rodrigues from CANTO. Thank you. Tony? Tony Harris: Tony Harris from CABASE in Argentina and also GNSO counselor. Okay. So yes, just a reminder to introduce yourself when you take the mic. We certainly need to do that for the transcription. I think our chair will be joining us shortly remotely. The agenda is on the screen, and I'm going to move swiftly on to the first item, which is something that s pretty fundamental and important to this constituency, universal acceptance. We have a number of ISPs who are engaged in that activity. And I'll ask Lars to spend 10 minutes or so bringing us up to date where we are with that activity. Thank you. Lars Steffen: Yes. This is Lars for the record. Thank you, Tony for giving me the opportunity to give you a brief update about the current work of Universal

4 Page 4 Acceptance Steering Group. For those in the room who are not very familiar with the Universal Acceptance Steering Group, we are a working group created in 2015 and we work on that all valid and domain names and addresses are accepted by all into enabled devices, software and systems. We had a full day workshop on Saturday at this ICANN meeting for the USG. And just to give you a brief update on what we are currently working on. So we have a strong focus right now on the EAI, on Address Internationalization. So we are currently working on documentation that can be used by software and service providers to give them guidance and a checklist how to become UA ready. Phase one will be that the systems will be able to send and receive addresses that are based on UTF8. And phase two will be that those service providers are able to host mail boxes also based on EAI. So to achieve this, they are currently working on some comprehensive documentation. So we have two sub working groups. One is focused on EAI. The other one is focused on communications, and I'm one of the cocoordinators next to Christian Dawson. I took coalition and being one of the co-coordinators of the communications team. The next step that we're currently working on is to put together an evaluation of software and service providers, just to have an overview of the market, which kind of software and services we have out there in active usage and what is the current status of them with regards to be UA ready. The next step is when we've accomplished this to create comprehensive outreach to those service and software providers. And one of the things that we are currently working on is also to have some EAI Day. So like we had an I Pv6 Day and for every other - several other occasions, we have the plan to establish an EIA Day to get this momentum growing and also rolling.

5 Page 5 Another thing in this context is (linkification). So we understand (linkification) is the functionality when you type in addresses or web addresses into software or in your mail client or in your check client or Skype or whatever, that the system automatically detects okay, this is a valid address and it will create automatically a link. And we just did a review of several source media applications for example to see if this is implemented, yes or not. And the best system that we've seen is Telegram. So Telegram is very good in identifying addresses and also links in several scripts, even in Arabic, which is not very common in software that we see nowadays. And we will publish this in the second quarter of this year. One of our target audience next in general to, that we address developers and CIOs. We want to focus more strongly on governmental CIOs because from our experience throughout the last year is when we talk to CIOs of companies, that we come very shortly to the question okay, what s in for me becoming UA ready? So even in the western hemisphere, when you talk to people about becoming UA ready and implementing EIA, they say okay, the traffic of EAI is very low in my systems. So what's in it for me to take the effort at implementing this? So when we target more strongly on governmental CIOs, it's not so much a commercial question. It's more about the question of how to do things right and how to implement standards that are established. So in Germany for example, there s a directive to that the government has to offer barrier free online services. Of course they didn't have UA readiness in mind, but this is something where I say okay, this is where UA readiness can be a part of this directive because when you offer online services of a government and there are fields where you can put an addresses, I think it's pretty fair to say okay, you also

6 Page 6 have to accept addresses that are not based on ASCII but also UTF-8. It s just a question of being inclusive from my point of view. To - also to give - to drive more traffic to our content, we now established a few social media channels. So we opened up a Facebook page for the Universal Acceptance Steering Group we set up a Twitter handle. We created a YouTube account to give everybody who would like to share the information that we creating and the content that we are developing, to make it as easy as possible to spread the word of universe acceptance. We didn't do that in the first place because we didn't have that much content, but since we started our work in 2015, we now have really a comprehensive library of several documents and blog posts, videos that we can share. And when you go to those sites, also please feel free to like them. I think it's pretty easy now just to share or retweet the information to make it as easy as possible and to spread the word of universe acceptance. Another thing that we did is maybe someone in the room know those stories from (Ramone) who sent out FedEx mails. When he encountered universe acceptance issues with dot info many years ago, we did the same and we sent 400 physical letters to CIOs of the Fortune 400 companies. And well, the engaged that we created was 1%. So this is also one of the core and key learnings for us that we still have to work hard on outreach to get the message through. This is why we established another thing. It s the UA ambassador program. So if you're already active working on spreading the word on universe acceptance, or you're already engaged but maybe we don't have you on our agenda, feel free to apply becoming one of the UA ambassador. So we already onboarded three persons at this meeting and we - it s an ongoing process. So feel free to apply any time you like. The idea is to give them substantial support. So there will be funding for travelling and also to

7 Page 7 attend conferences when you get a speaking slot and things like that to spread the word on universe acceptance. There s a document on our website, UASG.tech where you can see the requirements and what we'd like to know from you to apply to become a UA ambassador. It s a great opportunity I think. Feel free to take a closer look at it and apply. The next thing is that we establish more local partnerships, especially in China and in India because those are the regions where it makes most sense for software and services providers to become UA ready. And at the last mock meeting, we also had a panel discussion to get more engaged with the providers that are active at mock, and also to address server security issues people might have with EAI. So for this, we had the workshop at this ICANN meeting on Saturday. We had a public forum yesterday, and we have several speaking slots in other constituencies as well to address several points. So yesterday a tech day at the ccnso, we had a very technical focused presentation. We had one presentation also to the GAC to address that we would like to talk to the governmental CIOs, to talk to them how they can implement UA readiness in their systems. And those two paths are now - those that we have a strong focus on EAI and the CIOs, with an eye on the governmental CIOs, and those are the paths that we are currently working on. This is a brief update of the UASG. Thank you, Lars. Great job. I have a couple of questions, but I ll open up for other points first. Tony? Tony Harris: Yes. So thanks, Lars for this good report. I have a question because at the Abu Dhabi meeting, there was somebody in the workshop, the UA workshop who was from India, and he was talking about an initiative from the Indian

8 Page 8 government to give every single inhabitant an address with an IDN included. Did that - is that progressing? Are there any technical impediments to that for them to do that? Because that's a story I think we should feature in our newsletter if it comes to be. Lars Steffen: Thank you, Tony for asking this. It s Ajay Data from India. He s with XgenPlus, one of the software providers. And yes, they did and that s - oh, he just entered the room. Ajay, please feel free to come to the microphone. Ajay Data: (Unintelligible). Lars Steffen: Yes please. So this is first-hand information. Ajay Data: Yes, why not. So thank you and very important question. Yes, we have progressed in one of the states already. Ajay Data for record. We are already tied up with government of Rajasthan with 70 million users. This project has gone live on Rajasthan.Bharat which is a Hindi domain. And every citizen has been given one free address by government, hosted by government, sold by government, completely free for life. Government of India is also contemplating - we actually have even the contract from them. This is an execution and there are many projects like that are going to come from government of India because of they want to do something on education separately, something for government of employ separately, something for citizens separately. So there is a big plan going on and I think I m missing the secretary here. I just talked to him yesterday night that can you come over and announce him on remote here or something. I think he's going to do that in Panama. Thank you very much.

9 Page 9 Lars Steffen: Thank you so much, Ajay. Perfect. Completely perfect. Tony Harris: You can stay in the meeting if you like. Just to remark. I'm going to recirculate the attendance list because I know some people joined after. So if we could just go around the table and then around the back of the room, that would be - appreciate it. Other questions on universal acceptance. I have a couple of questions first. I know you very much focus on elements of the community who need to understand universal acceptance, to make sure that they are engaged in it. But are they really still - I don't know what metrics you ve used, but are there certain areas of the world which in your view are still pretty dark on this? Are you targeting towards that at all, as well as the technical elements? Lars Steffen: Well, when it comes to which parts of the world are darker than other, to say it that way, as we see now in India, of course there are stronger initiatives where you have a stronger benefit from becoming UA ready. So when I talk to our members for example who are large providers in Europe and in the US, and I ask them how much traffic do you have with EAI? They say - still stay it s below 1% for them. So this is the reason why we very soon encounter the question, what's in for me becoming UA ready and taking the effort? So this is the reason why. We need those strong examples like in India, to give a good example that it s worth to become UA ready. And then of course in the Western Hemisphere, it's maybe more valuable to take the first step, becoming UA already in the sense that you accept new

10 Page 10 GTLDs for example because it's also still something we have to work on that if you want to use an online service or subscribe at an online service and you use an address that s based on new GTLD, that s still often rejected. So last year in 2017, we did a review of the top 1,000 websites, and we checked several test addresses from short ASCII TLDs, long ASCII TLDs, several versions of mixed scripts, down to having full Arabic addresses, and when you've got a short full ASCII - a full ASCII address with a short TLD, the acceptance rate is 92%. So this is the reason, because you may have a short TLD, but when the developer of the online service hardcoded a number of TLDs and you've got a short new GTLD, it s still rejected. So when you've got a long full ASCII address like dot technology or dot photography, the acceptance rate goes down to 78%. When you've got several mixed scripts ones, it goes down to 40 to 30%. And when you've got a full Arabic address that s also written from right to left, the acceptance rate goes down to 8%. Right. Yes. Some - still some challenges in there. You mentioned also having a specific day. Can you say more about thoughts around that? Because we ve obviously had those ISP focus days at various ISP meetings. Is your intention to hook it on to one of those or is it something independent of that? Lars Steffen: This is Lars for the record. This is something we still have to work on to create a plan. Also when it comes to the date, we planned this for So still somewhere I had to state. But it's one of the projects we agreed upon at this meeting, that this is something we d like to work on.

11 Page 11 So this is something we have to create and have a plan and a path that we have to follow to achieve this goal to have an EIA Day. So this is something where we probably will give updates at the next ICANN meetings. Okay. Ajay Data: Can I add something here? Yes please. Ajay Data: small, 30 seconds. I think one thing I must mention - Ajay Data here for record. I am one of the large ISPs in India also, and I am saying this with real example that when we announced that we are supporting IDNs, the - and we started bundling it with our connections as a hosted plan, the stickiness of the customer goes up. And in fact, the people who are forward looking, who are technology oriented, who wants to be updated, prefers the entire services from us. So this is one example and a low hanging fruit before people take up this opportunity. This is for all ISPs. This is something to look at to enable yourself, enable ourselves for EIA readiness and announce it for your own customers. Okay. Thank you. Lars, I'm sure behalf of Wolf-Ulrich, that we would welcome having that dialogue about trying to help with a few tracker meetings if that is in your thoughts. I'm sure it will be a positive response. Thank you. Okay. No more questions on that particular issue. Let's move on with our agenda. I'm aware we're running a little late already, but we started late and I'm sure we'll recover from that as we go along. So the next item on the agenda is something called GDPR, which I think people might have heard of. And the regional it s on the agenda was that when Wolf-Ulrich and I looked at this, we

12 Page 12 were aware there was going to be substantial discussion across this meeting and I think it's true to say that s happened. We've billed this as further steps in ISPCP position. Now, there have been some pretty intense debates around this. We had the discussion in the ISP private meeting. And during that session, we were joined by Thomas. We discussed the position that's been taken by the BC and IPC who are both putting comments and were looking for us to basically join them with those comments. We had no consensus to join them with that particular set of comments they submitted. We did have some healthy discussions around that. But I'm going to open the floor now for views as to where this goes. There s a lot of open issues here. And certainly the CSG discussions this morning that we had with Göran, followed by the interchange we've had with the board I think has highlighted some of the concerns that are around. And we have on the table of course, the cookbook that is currently being discussed as a potential way forward. There's also the onus on everyone to speak with their GAC people, hug the GAC it s been referred to a number of times, to try and make sure that the issues and feedback that we'll require from the DPAs is forthcoming. I think a lot of us will have concerns as to the level of feedback that actually comes back. But at this stage, Thomas, maybe I should turn this over to you to get your take on where we currently are and your hopes for moving this forward. That would be helpful. Thomas Rickert: Thanks very much, Tony. Just one question. How much time do we have for this? And then I understand that I'm also supposed to update you on the CCWG accountability?

13 Page 13 Yes, that's right. With this, I'm willing to allow at least 30 minutes on this because I think it's important. Hopefully it won t take that amount of time, but let's try and see. Thomas Rickert: So my suggestion would be to maybe briefly go through the current proposal that ICANN has put on the table. I m not sure whether everyone is fully familiar with the parameters of this interim model. How does it sound? That sounds good. Thomas Rickert: Great. So Lars, if you could go to one of the next slides. There are two slides which actually outline the parameters, and one more. That s it. So what I suggest we do is we go through the individual components of the interim model and I will offer a few comments on these points. So ICANN suggests that all registrant or all registration data as currently collected, will henceforth be collected even under the interim model. And that would include not only the data for the registrant, but also for the admin fee, the billing fee and the tech fee. And the problem with that is that ICANN does not offer any rationale for why this collection is required. And as you may or may not know, the GDPR have one of the principles enshrined in it, which is the principle of data minimization. So you're only supposed to collect as much data as you need to deliver a service or where you have another legal basis for collection and otherwise processing the data. So that's the biggest point of concern because ICANN basically explains in the cookbook that this data shall be collected because we've always collected it and it should be up to the community process to discuss what then ultimately in the long term should be collected.

14 Page 14 So we do think that there is an issue with collecting faulty data. And I should also say that according to what I hear from the data protection authorities, while they have not focused on data minimization too much in the last couple of years, now this is becoming more and more a point that they understand and that they are aware of. We know from some of the major registrars that the data they have on the registrant is identical with the other context in more than 90% of all cases, right? So you don't get too much additional intelligence by collecting data for the admin fee, the billing fee and the tech fee. But where you do collect it, where the data elements are different, you are potentially getting additional issues because the admin fee is not a party to the contract with the registrar. The tech fee is not and the billing fee is not either. So according to the GDPR, you have information duties, and how do you fulfill those information duties if there are third parties involved in the registration? Just to clarify, Thomas. Tony Holmes for the chair, for the record. As we work through, are you happy to take questions as we go? Thomas Rickert: Sure. Go ahead. Just one of the things that I struggle with in this whole concept is trying to separate out the discussions in ICANN that should occur as part of the PDP, the RDS PDP and the requirements of GDPR. And I - in my mind, I need to make that distinction. And I think some of the comments you made probably apply to both of those, sometimes even more towards what I would view as the future work of the PDP rather than the whole issue of GDPR. Thomas Rickert: Yes. I guess my take on it is, we need to make sure that there s a compliant system by May 25, right? And whatever is required to be compliant is the new baseline for the community process. So if you look at the RDS PDP

15 Page 15 working group that s looking into these issues, they will not be able to go below what's required to do - to become GDPR compliant. And I guess this very point is one where we need to work on now. Are you following the data - the principle of data manage? They could go above. Thomas Rickert: They could go above, certainly but I think we need to make sure that we come up with a solution now that will hold water when it's tested in courts. The second point is that Man 6: Just as a point of order. Thomas, would you use this microphone? It s just so the remote Thomas Rickert: I will speak into whatever microphone you want me to speak into. So the next point is transfer of data from the registrar to the registry. This is something where the contracted parties even don't have consensus on. Typically what you would look into when it comes to this point is to see - to assess what data needs to travel from the registrar to the registry to perform the contract for example. And if you look at those on running.com, they don't know who the registrants are, right? So one might think that a registry does not necessarily need to know who the registrant is, but they might do with technical data, who the registrar is so that the registrar might be a sufficient source of information about the registrant. Now, there is a possibility to get that data traveled from the registrar to the registry based on the legitimate interest that can be claimed by the registry. So the registry can say, I want to validate who my customers are, or I want to run security checks to identify patterns of abusive behavior. And those can

16 Page 16 be the legitimate interests for the registry to require the data to be transferred from the registrant. And ICANN seems to be inclined to require this transfer of data, which is possible, but to me it s sort of a strange concept to make it a provision enforceable by ICANN that the registry needs to have a certain legitimate interest. Although they might not want to assert it. And we know that there are some registries for example who are not privacy shield certified who say well, we don't want that data. We re okay with the data to stay with the registrar. So that I guess is a point that deserves more discussion. But at least from the discussions that I had with registries, in total numbers the majority of registries is okay with obtaining the data. And they even want to make use of it because they say okay, if there are transfer disputes, it's good to have everything in one central place so that we can actually verify who the legitimate domain owners is. Then transfer of data to escrow agent, you know, the full data shall be escrowed. For your information, that would apply both to data escrow for the registrar, as well as to the - for the registry where you have different escrow agents. Then data retention life of the registration plus two years, which is something that you can do. But ICANN is just saying, this is in line with European data protection laws and I m not aware of any law that would, you know, support this notion, right? So we think that ICANN needs to put a little bit more flesh to the bones and explain why they have chosen registration plus two years. Sorry. Wait, Thomas. You are speaking on behalf of?

17 Page 17 Thomas Rickert: I've spoken to numerous legal counselors with registries and registrars and we've discussed these points. So it's basically a group of contracted parties that have discussed these issues. So and I guess this is one additional point where we need - where we should continue to ask ICANN for more information. So it is possible to use two years, but then you need to explain why is it not six months? Why is it not five years? So you can say that, you know, for example, within two years, most disputes are resolved, or that claims against registries and registrars are limited by statute after this period. And if you have that explanation, then you can put it into the contracts and make it enforceable, right? But in the absence of a legal rationale for why you chose this exact period, it's difficult to defend. The applicability has been a point of discussion. Do you want to ask a question? Man 7: No. Thomas Rickert: So basically are the processors and controllers in the EU need to be compliant, even more so in the European economic area, they need to be compliant. And ICANN wants to make it possible for contracted parties to use their systems throughout the world. We've been discussing this in the closed session the other day, but there's a possibility to use one unique WHOIS system for your global customer base. And that's a point that we agree with. Then ICANN does not require the contracted parties to make a distinction between natural persons and legal persons. And this is a point of ongoing confusion I should say, because particularly the IPC, the BC and other WHOIS customers, deny the fact that the names of legal persons can be personal data.

18 Page 18 And it is true that the GDPR only protects both your data i.e. data of natural persons and this you saw - I'm not sure whether any of you have been in the Public Safety Working Group meeting this morning, but they also say, GDPR only protects the data of natural persons. That is correct, but where the name of a legal entity allows for the identification of an individual, that name of a legal person is personally identifiable data and therefore protected under the GDPR. And therefore we need to be cautious. Some call this is over compliance. I think it is the right level of compliance in order to protect the contracted parties from being sanctioned. Let's move to the next slide please. Please. Sure. Philippe Fouquart: Thank you. Philippe Fouquart from Orange for the record. On this particular point, I suspect that many of the comment would apply to others, but I suspect that this issue with having the name or personal data embedded in the legal entity label is not specific to WHOIS and you could probably have the same issue with the data you were processing, certainly as an ISP or. Thomas Rickert: Correct. Philippe Fouquart: So do we have elements as to how that issue is addressed for those other environments or they mean different from WHOIS? Thomas Rickert: No. I think the only advice that I can give is be cautious. You have a certain risk if you publicize the data of legal entities because some of that data might be personally identifiable data. So if you have - if you as an ISP have sole proprietors or small to medium sized companies as your customers, in many cases the company's names will include the name of the founder, you know. So you need to be cautious, and I think you can make a business decision as to whether you think that there is a big issue with that or not. And my take on

19 Page 19 it is, you know, you might have two points from which you are tackled. That might be the company itself or the individual behind the company, and the authorities. And I think if somebody, you know, with a smaller medium size company, and they go after you for having treated the company data as corporate data i.e. not as personal data, I think you can push back quite a bit and say okay, we took what you gave us. You said you are a company. You said you are a corporation, therefore we truly believed in good faith that the data that you provided is not personal data. And I think in many cases you might get away with it, or even be - or at least your counterpart, the complainant, will not be entitled to damages because they made the mistake in the first place, right? It s something different when it comes to the authorities because if you are sort of inviting wrong treatment of data that is personal data by designing your systems to potentially be flawed, knowing that you will get a lot of company data that will be personally identifiable data, I guess there s a risk that you will be sanctioned, right? So I think the risk is bigger with the authorities than it is with the complaining customers. I hope that answers the question. Philippe Fouquart: Yes. Sort of. Philippe Fouquart again. I guess the question was also, was the element of risk assessed in those other environments? I for one I'm aware of many surnames being used as brand, being sold as brands sometimes, sometimes big names. So and this does not seem to be specific to WHOIS and I would think that us being late, somebody somewhere might have determined and have a legal basis for saying, it's either one way or the other. Again, I'm not a lawyer, but I would think that there might be other environments where this has been investigated.

20 Page 20 Thomas Rickert: I mean you find a lot of clues that corporate data can be personal data in legal literature and then in decisions, right? You find that - you find something on that in one of the latest GAC letters. They explicitly say that corporate data may constitute natural persons data. And also this paper by the international working group on data protection in telecommunications, you know, the Berlin group paper that also states clearly that corporate data can be PII. I think it is - Tony Holmes for the record. I think it is a really flex question because there are a number of different instances where this will come up. It's also probably going to vary as well from jurisdiction to jurisdiction. And there are some cases where the whole thing will change as well. So maybe that just in some way supports Thomas's view that you need to be careful. I think making a hard decision on this is really tough. For instance, when we had the discussion earlier, Thomas in the private session or the closed session, you made the point that your name was part of your business name, but there could be a scenario in the future where somebody wants to buy your company, and they may want to keep your name because it has a reputation going with it that may enhance their commercial place in the marketplace. Thomas Rickert: Which is great. But it shows you how a situation can change and then whether that's personal information is again a difficult issue. So I think across the piece, this is a really difficult one. Thomas Rickert: Yes. And I think everyone who's representing companies around this table can take business decisions to take certain risks. The question is, do we want ICANN to dump on you in an enforceable fashion, that you should be taking certain risk? And I think the answer is no.

21 Page 21 You know, corporate data in many cases will be data that is not protected under GDPR. But there s a huge number of cases where it is actually protected. And therefore I think ICANN is spot on by not forcing the contracted parties to make the distinction between natural and legal persons. Okay. I think we need to speed up a little bit. So we have in this model, a proposal by ICANN only to publicize limited data on the registrant address. So the registrar name will not be published. The street will not be published. They will - they only ask for the publication of the province and country. So the city is not going to be published either, you know, but they still want to have some information in there that allows for a requestor to see okay, roughly what region is the registrant located. The address shall not be publicized as well as the phone number or fax number. When it comes to the address, they re asking for an anonymized address to be published or a web form. And from what I hear from the dev ops, from the contracted parties, their preferred option would be a web form because even anonymized addresses can be harvested if you know the zone files and they can be spammed, you know. And that was one of the major concerns by the data protection authorities, that you would be subject to back marketing, right? So then there - ICANN is asking for a possibility for registrants to have their data published. They call it opt-in. Translating that to legal terms would be a consent based publication of data. So there are individuals or companies that want their data to be publicized and they shouldn t be kept away from doing that. So that is fine. And then next slide please. Sure. Andy Pitts: Yes. Andy Pitts for the record. I just want to know about the opting in. Is that still covered under GDPR? Does GDPR allow for that, you know? If a company says yes, I want my data to be displayed, is that okay?

22 Page 22 Thomas Rickert: Legally, there is no such thing as opt-in in GDPR. It would be consent. So basically - and consent in a perfectly legitimate way of legitimizing data processing. So you can find that in Article 61A of the GDPR. The problem with this is that the consent must be given freely, and there must be no conditions to providing that consent. ICANN is today, in their contract with the registrars, requiring the registrars to obtain the user s consent. But they're not doing that in a legal fashion because they're telling the registrants, you consent to the global publication of your data or you don't get a domain name, you know, and that doesn't work. But if the - if the free unconditional choice of the registrant to have his or her data publicized, that is possible. But contracted parties and everyone in the ecosystem needs to acknowledge that consent can be withdrawn at any time without giving any reason. So, you know, you can't assume that this data, that the registrant permits to be published will be publicized forever. So they can withdraw that consent. Okay. So let's move to the last slide, and that is probably the one of most interest, but with the least answers. And that is that ICANN - no, the one before it. There has been some discussion about site certification because everyone is afraid that a gated access based system will not be ready by May 25, and probably it will be ready by May 25. So what's going to happen in the interim? And there were many who ve asked for a system based on site certification. The IPC and the BC are still pushing for that, and they've chosen the model of zone file access requests for that. And ICANN has now acknowledged that they don't want to pursue the route of site certification because that's just too sloppy, let's say too lose in terms of conditions to provide access to personal data.

23 Page 23 For the accreditation system, ICANN has the plan that they get the governments to work on, that they get the Article 29 Group to help them with this. And I think that this is going to be very challenging. You know, this morning I've asked at the GAC meeting, whether the GAC can confirm that they're going to have something ready by May 25. And they said well, we haven't even started the discussion. And there are many government representatives that I spoke to who said that they don't really want to be in a position of determining who can get access to the data and who would not. Beyond that, there are a lot of issues with providing bulk access to WHOIS data. So in my view, one needs to take a very nuanced approach to this and take a look at who is the requester? Is it an IP holder, a trademark owner for example? Is it law enforcement? If it's law enforcement, is it domestic law enforcement? Is it European law enforcement? Is it law enforcement outside the EU? What about IT security companies? What about consumer protection agencies? They all have - might have different legitimate interests in requesting access to data, but do you want to give bulk access to everyone? Or shall they only have access to a limited set of data? Shall they have bulk access or can they only file individual requests for data, let's say on a specific domain name? These are questions that are completely unanswered, and I think that ICANN s hope that the DPAs will fill in the blanks in the cookbook, will be disappointed. I think that it will be on us the community to write something up and then propose it to the DPAs because at the moment, the cookbook is so patchy that it doesn't even allow for a proper legal assessment. So I think we need to step up, propose something. Let s stick with the example of the retention period. Say okay, this is why we need to ration up the registration plus two years. That is all right for you guys, and then they

24 Page 24 have something that they can take a look at. But just to say it s duration of the registration plus two years, tell us if that's okay. I guess nobody is in a position to answer that if they don't have all the facts surrounding it. So we need to push - put more flesh to the bones in order to make this a comprehensive proposal. Sure. Tony Holmes. Just on that point, I totally agree with you. I think that expecting the DPAs to come up with an answer, I just don't see that happening at all, particularly in the timeframe that we have. And it's probably worth just mentioning, and I'm sure most people here are aware, that already I think in terms of accreditation now, there is some effort going in from the IPC and the BC to draft something. I haven't seen any of that. I don't know what's happening there, but just for the record so everyone s aware. Already there are parts of the community who are looking to try and do something. Where that goes and how it gets embraced in terms of the multi stakeholder approach is - well, it just isn't clear at the moment. But there's just something underway. Thomas Rickert: I guess that's pretty much it. I guess in conclusion, I would say that we need to talk to our GAC representatives as - you know, I ll get to you in a moment, to ask them not only to provide us with their wish lists. The GAC has written a wish list as to what they want the commissioners, that you should keep the WHOIS as open as possible, but they don't explain how it can legally be done, right? And so we should ask them, don t only send us your wish list. Also help us understand how we can make it work legally. And then we should prevent the GAC from becoming operational. You know, they have the clear advisory role according to the bylaws. They should stick to that.

25 Page 25 And we need to be clear, and this is one of the biggest fears of the IPC and BC, that whatever interim model is adopted, that this will be just perpetuated. And we should be very clear that this is just an interim compliance solution and that we need to work on the bottom up multi stakeholder process to get this done through consensus policies, because that s ultimately where ICANN takes its legitimacy from. You had a question. Man 8: Yes. Thank you. (Unintelligible) for the record. Now, just how is it then the change of liabilities? So ICANN as an organization can receive also a fine, for example for the (unintelligible) or it s just the registrar or the registry and just to know that. Thomas Rickert: ICANN has not acknowledged its role. They re now saying that there are some sort of controller, but they don't say in what fashion. There is legal analysis as well as a letter from the Article 29 Group that suggests that the registries, registrars and ICANN could be joint controllers. And data controllers are subject to fines if something goes wrong. Now, what you need to understand is that, you know, if let s say one registrar does something wrong, that doesn't mean that the DPA will fully sanction ICANN. So when it comes to sanctions, they look at who has done something wrong in the mix, right? So if ICANN has done something wrong, they will likely be sanctioned. If a registrar has failed to do things right, that registrar will be sanctioned, you know. So it's not like everyone will be equally sanctioned. But ICANN has made abundantly clear in the cookbook, that they will come up with revised agreements exactly prescribing what needs to be done with the data, and that makes them a data controller in my assessment, right? So the one who controls what s to be done with data, is typically the data controller. And the more ICANN dictates this, the more ICANN is on the hook for being a data controller.

26 Page 26 Thanks, Thomas. One point you made there I think we can all coalesce behind is the fact that we should look on this as an interim arrangement, not just something that will be ongoing for perpetuity. So I think that that's quite clear to all of us now. In terms of where we go from here, it very, very much is a case of, let's see how this unfolds. But one final question here before we change topics, Thomas. I mentioned that there s some effort going in from the IPC to BC to try and look at accreditation. Are you aware - and you have a much broader awareness of this area than many of us here. Are you aware of any other efforts that are also taking price going down that path at the moment? Thomas Rickert: There's a lot of talk. I think Stephanie Perrin has mentioned during the cross community session that she's considering an ISO certification based approach for accreditation. I think that s more in the area of data security and that the data is in safe hands with you. So I don't know exactly how this can be operationalized. Then as far as the accreditation of law enforcement is concerned, there are discussions with Europol. So Europol does seem to have a system whereby they can assert that a certain organization is actually a legitimate law enforcement authority. So there are discussions in various places, and I think there s a huge benefit in using existing systems, you know. I think the IPC and WIPO have suggested that they could potentially help with the accreditation of IP attorneys, you know. So I think everyone is trying to be forthcoming with solutions. Okay, thanks. Any final questions on this topic before we move on? Thank you very much. Appreciate that, Thomas and appreciate your time at the

27 Page 27 earlier closed session as well. So let's move on. And again, we appreciate your help with this one, Thomas. This is looking at the accountability, progress on accountability. And originally Malcolm Hutty was going to join us for this. Malcolm did provide some slides which I think we have. And if we could - I hope I m not taking you by total surprise here, Thomas, but if we could look to display those slides. Malcolm raised or drew attention to a couple of particular issues. But also, Thomas, the floor is open to you if there s any other elements that you think would be helpful to us. Please just go ahead on that basis. Thomas Rickert: Yes. Maybe Lars, the accountability slides that I sent to you. So my name is Thomas Rickert. I m one of the co-chairs of the CCWG accountability. Hello everyone. I m changing hats, right? So we had a plenary session last Friday here in Puerto Rico, and we were quite successful in getting all the sub teams work packages approved. As you know, we had two work streams. Work stream one was done before the transition took place and work stream two was dealing with nine topics in total. That would be eight topics which we're going to see listed on one of the subsequent slides, and then one additional topic on the IRP, The Independent Review. Lars, can you move slides? I'm not going to talk you through all of them. We re not - okay. So these are the eight areas where the sub team reports have now been approved. We typically do that in two readings, right? So we go through the report twice. All of these eight sub team reports have gone through public comment. Those public comments have been analyzed and now we have all the component parts for our final report ready.

28 Page 28 Next slide please. So what we're going to do now is we're going to wrap up all the nine sub group reports, put them into one package, and they're going to be then put out for public comment. And the question is, what's going to happen once this is all approved. And we're going to discuss the approval process a little bit later during this presentation. But there were a lot of questions from the community, as well as from the board, because work stream one and two are quite different. For work stream one, we had to get things done i.e. not only approved, but also implemented before the US government would consider relinquishing its historical role with ICANN. So we needed to get the implementation done. For work stream two, we do not have a mandate as the Cross Community Working Group to do the implementation, nor do we have budget. So our mission will likely end in Panama. And the question then was, what's going to happen with implementation? And the way this is going to happen, and we're going to have a discussion with the board on this tomorrow morning, but our suggestion is that the board comes up with an implementation plan for the work stream two recommendations that will likely be produced by Göran s team, and that the board then consults with an implementation review team consisting of the cochairs of the CCWG, plus the repertoires that were responsible for the sub teams to ensure that whatever implementation is done, that this is done in the spirit of the original CCWG recommendations, right? And this implementation plan, which I think could likely be a three to five year overall plan, because we can't do everything at a time, will then be discussed with the community for the community's approval and feedback, right? So that's the idea. So we're suggesting to set up an implementation oversight team in order to ensure that the recommendations of our work are going to be implemented in a correct fashion.

29 Page 29 Next slide please. So I mentioned to you a little bit earlier that we have the sub team reports ready that we're going to put them together into one big report, and this report is going to be put out for public comment. And we invite you to take a look at the report and comment. But there's a big caveat. We don't want you to comment on the individual recommendations, because all the sub teams reports have been put out for public comment. So we will not accept any comments on the recommendations. We're just asking for feedback on potential inconsistencies between the individual work packages, because you couldn't check consistency when you only saw the individual reports, right? And should you have ideas about what we should have done differently on human rights or transparency or diversity, we will not change our recommendations, but we will archive that input and that can then be used by ATRT or other reviews dealing with accountability, right? So if you see the announcement for public comment next - in the middle of this month roughly, only comment on inconsistencies. Next slide please. Just a quick question, Thomas to make sure I understood that right. Could you just say again how the makeup of the implementation oversight team is going to be? Thomas Rickert: Yes. We had so called repertoires that were in charge of leading the sub committees. So let's say there was one repertoire, two repertoires for transparency, one for diversity, one for human rights. So they all had leaders for the sub teams. And since these leaders have been guiding the genesis of the recommendations in the sub teams, they are subject matter experts. And we want to have the implementation oversight team consisting of those repertoires plus the co-chairs of the CCWG. Does that make sense?